I'm thinking there are 3 common formats used for timestamps today, the timeval (unix sec,microsec) by libpcap, timespec (unix sec,nanosec) by AIX libpcap(?), and the Endace 64-bit fixed-point format (unix sec,fraction). All these formats use 64 bits total. I don't know about WinPcap.
WinPcap uses UNIX-style time stamps.
I don't think I'd require one format - libpcap format already does some "receiver makes it right" stuff, i.e. the file is written out in the byte order of the machine writing it, and it's the job of the code reading it to byte-swap as necessary.
Right, although preferably with some indication in the trace/record as to which is in use to make the decision easier.
Would libpcap offer time-stamp conversion routines for programs that don't understand various ones, and allow them to select?
It might make sense to have a libpcap format that's UNIX seconds plus nanoseconds (or picoseconds, or more?) and to offer a routine that takes a time stamp pointer (perhaps a union pointer) and a time stamp type and returns a time stamp in the libpcap format.
Sounds reasonable to me, allows potentially different formats with aware applications getting the advantage, and unaware applications getting compatibility (at some cost).
Perhaps have an interface like 'query_timestamp_format', then if you don't like (or understand) the time, request a conversion to the best type you do support. backwards compatibility could be by providing conversion to least-common-denominator format through the legacy pcap APIs (if legacy API support is envisaged). This could be similar to the pcap_list_datalinks() pcap_set_datalink() approach.
Stephen.
--
-----------------------------------------------------------------------
Stephen Donnelly BCMS PhD email: [EMAIL PROTECTED]
Endace Technology Ltd phone: +64 7 839 0540
Hamilton, New Zealand cell: +64 21 1104378
------------------------------------------------------------------------ This is the TCPDUMP workers list. It is archived at http://www.tcpdump.org/lists/workers/index.html To unsubscribe use mailto:[EMAIL PROTECTED]
